Community: Downloads

SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3

Having trouble downloading? If you are having trouble downloading the SIFT Kit please contact sift-support@sans.org and include the URL you were given, your IP address, browser type, and if you are using a proxy of any kind.

Page Links

SIFT Workstation Overview

An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern incident response and forensic tool suite, is also featured in SANS' Advanced Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Offered free of charge, the SIFT 3 Workstation is taught only in the following incident response courses at SANS:

SIFT3 demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

"Even if SIFT were to cost tens of thousands of dollars, it would still be a very competitive product," says, Alan Paller, director of research at SANS. "At no cost, there is no reason it should not be part of the portfolio in every organization that has skilled incident responders."

Developed and continually updated by an international team of incident response and forensic experts, the SIFT is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source incident-response and forensic offering next to commercial source solutions. For courses that feature the SIFT, please attend FOR508 Advanced Incident Response.

"The SIFT Workstation has quickly become my "go to" tool when conducting an exam. The powerful open source forensic tools in the kit on top of the versatile and stable Linux operating system make for quick access to most everything I need to conduct a thorough analysis of a computer system," said Ken Pryor, GCFA Robinson, IL Police Department

Download SIFT Workstation 3 Locations

Note: The file is zipped using 7zip in the 7z format. We recommend 7zip to unzip it. Download 7zip.

Manual SIFT Installation

Installation

We tried to make the installation (and upgrade) of the SIFT workstation as simple as possible, so we create the SIFT Bootstrap project, which is a shell script that can be downloaded and executed to convert your Ubuntu installation into a SIFT workstation.

SIFT Workstation and REMNux Compatibility

Having the right tools at your fingertips can save hours and even days when performing incident response or analyzing malicious artifacts. You can now install two popular Linux distros, SIFT Workstation and REMnux, on the same system to create a powerful toolkitfor digital forensics and incident response. To quote @ma77bennett, this combo is reminiscent of "Transformers combining together to form a super robot."

You can start with SIFT and then add REMnux, or begin with REMnux and add SIFT to it. If you prefer the look and feel of SIFT Workstation, use SIFT as the starting point. If you like the look of REMnux, start with that one.

After booting into SIFT Workstation and making sure that it has Internet access, run the following command to install REMnux on it:

Report Bugs

SIFT Recommendations

SIFT workstation is playing an important role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its incident response and forensic capabilities are bundled on a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such great Linux distribution. The new version, which will be bootable, will be even more helpful. I'd highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.

- Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE

What I like the best about SIFT is that my forensic analysis is not limited because of only being ableto run an incident response or forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.